When U.S. Immigration and Customs Enforcement attorney Raphael Sanchez stole the identities of eight foreign nationals, he probably thought that he was picking on victims who would never report the theft. He was wrong.
After stealing their personal information from the ICE database, Sanchez forged new Social Security cards and driver’s licenses using their names, but with his photo and physical address. He opened new email, bank, and public-utility accounts; took out personal loans and lines of credit; created a series of bogus business entities; and paid himself for nonexistent services using these synthetic identities.
All together, Sanchez defrauded six banks of nearly $200,000 over a four-year span. He confessed and pleaded guilty to these crimes in February. And he was sentenced last month to four years in federal prison and ordered to pay back all the money he stole.
READ MORE ON IDENTITY THEFT AND FRAUD
How to deal with Equifax and our ‘broken’ credit protection system
Businesses can buy ‘cyberinsurance.’ Why can’t you?
Special report: How data brokers slice up your private life
What to do when you’re caught in a data breach
Homing in on the future of identity
Synthetic identity fraud, which uses a combination of real and fictional information to create new accounts, is one of the fastest-growing forms of cybercrime. According to Javelin Strategy and Research, new-account fraud grew 70 percent last year.
“Over the last 18 months, we’ve seen a big uptick in synthetic fraud by organized crime,” says Brett Johnson, a security consultant and co-host of the OnlineFraudCast podcast. “It’s now a cornerstone of carder communities on the Dark Web,” a thriving ecosystem for fraud.
Johnson should know. As founder of Shadowcrew, the notorious band of cybercriminals famous for stealing and selling credit card information in the early 2000s, he pretty much invented the genre.
A booming black market for identity fraud
After getting caught, Johnson spent seven and a half years behind bars. Now he consults with law enforcement agencies and banks on how to detect and prevent fraud.
One of the reasons synthetic identity fraud is booming is that it’s relatively easy and inexpensive to pull off, Johnson says. This is largely because massive data breaches have flooded the Dark Web with billions of records, from credit card data to driver’s licenses to Social Security numbers.
“The most effective way to commit synthetic identity fraud is to simply buy a kid’s name, date of birth, and SSN [on the Dark Web], and use that to set up accounts,” he says. “You can build a complete synthetic profile in the banking system, cash out, and the kid won’t know about it for years.”
An SSN, date of birth, and address history sell for as little as $3 on a site called Robocheck, Johnson says. On trading sites like Hidden Hand or Green Market, full records (known by hackers as “fullz”) containing physical addresses, credit card and verification numbers, employment records, SSNs, dates of birth, and other types of personal data range from $40 to $130, depending on credit score, location, and other factors, Johnson says.
These sites are about as hard to find and use as eBay. In fewer than five minutes, we found a post advertising fullz for $5 to $20 each, depending on volume purchased.
The next step for the thief is obtaining your credit report.
Once crooks have your essentials, they can use publicly available information from the Web, social media, and people-finding sites to answer the knowledge-based authentication questions on a site like AnnualCreditReport.com. This gets them to a free copy of your report.
With your report in hand, they can file a change of address with the U.S. Postal Service, request replacement cards from your banks, and max them out. They can create new accounts in your name (and connected to your SSN), and max them out.
While the banks will absorb nearly all of the financial losses—last year, it was nearly $17 billion—it can take consumers months to sort out the mess and years before their credit rating recovers. In the meantime, many identity fraud victims find themselves unable to pay their bills, take out a loan, rent an apartment, or get a job, says Eva Velasquez, CEO and president of the Identity Theft Resource Center (ITRC).
“Someone can open new accounts in your name, and suddenly your credit is destroyed,” she says. “You can’t rent an apartment because you can’t pass the credit check. You can’t pass a background check for a job because someone committed a crime in your name.”
Credit scores for sale
One challenge for fraudsters is that synthetic accounts often lack a credit history. This is especially true when children have their identities stolen, which happens more than 1 million times a year.
Crooks get around that problem by getting their fake persona added as an authorized user on someone else’s account, effectively renting that person’s credit score, Johnson says.
Search for “authorized user tradelines,” and you’ll find plenty of marketplaces where card owners happily sell access to their credit score for several hundred dollars apiece.
“If I set up a brand-new credit profile in a system that’s only a week old, but add a credit card that’s 10 years old, that synthetic profile looks 10 years old as well,” Johnson says. “You can go from a 0 credit score to a high 700 in about 30 days.”
On one popular tradeline, we found authorized user credentials selling for as little as $250 (for a year-old account with a $3,600 credit limit) and as much as $1,825 (five years old, $50,000).
Most cybercriminals wouldn’t spend nearly that much, Johnson says. They’d simply buy a bank log-in on the Dark Web for $10, and secretly add themselves to others’ cards.
Once they get your credit score high enough, they can apply for an Employer Identification Number with the IRS, then potentially qualify for business lines of credit worth hundreds of thousands of dollars.
“We see criminals doing this kind of stuff on 20 to 30 profiles at a time,” he says.
Protect yo self before you wreck yo self
Synthetic identity fraud is not as well known or understood as you might think, Johnson adds.
“I’ve spoken to the FBI, police departments, and a lot of banks,” he says. “Most of them don’t understand what synthetic fraud is or how it’s committed. When I tell them, it’s one of those ‘Oh sh*t, we’ve got to do something about this!’ moments.”
Fortunately for consumers, major banks have gotten extremely good at using artificial intelligence to flag potentially fraudulent transactions, notes Ben Colvin, a senior vice president in Mastercard’s enterprise security division. Their AI software, powered by machine-learning algorithms, looks at typical behavior both by individual cardholders and other cardholders with similar habits, then identifies anomalies.
Smaller institutions typically have to rely on more manual ways of identifying fraud.
“A lot of the larger banks have that sophistication, but the smaller community banks don’t always have the resources,” Colvin says.
The Economic Growth, Regulatory Relief, and Consumer Protection Act, signed into law in May, will make it easier for banks to verify SSNs, which should ultimately reduce the amount of synthetic fraud over time.
In the meantime, consumers can protect themselves by putting a freeze on all three of their credit reports, so new accounts can’t be opened without their knowledge. They can monitor all their bank accounts, and add alerts for every transaction. And they can use a good password manager to keep track of—and automatically fill in—unique and complex passwords for authentic online services.
“Ninety-two percent of breaches begin with phishing attacks, because it’s easier to ask someone for permission than to brute-force your way in,” Johnson says, referring to attacks that begin with emails leading users to fake log-in pages designed to look like the real ones. “There is no patch for human stupidity. So always use a password manager.”